From 2c32fdef693e6340feacc65d3591ee29d5028c07 Mon Sep 17 00:00:00 2001 From: Angel Fernando Quiroz Campos <1697880+AngelFQC@users.noreply.github.com> Date: Wed, 16 Oct 2024 18:48:10 -0500 Subject: [PATCH] Security: User FormValidator::addHtmlEditor FormValidator::addElement('html_editor') --- ...MultipleAnswerTrueFalseDegreeCertainty.php | 2 ++ main/exercise/calculated_answer.class.php | 1 + main/exercise/exercise_show.php | 10 +++++--- main/exercise/fill_blanks.class.php | 12 +++++---- .../exercise/global_multiple_answer.class.php | 21 ++++++++-------- .../multiple_answer_combination.class.php | 21 ++++++++-------- .../multiple_answer_true_false.class.php | 1 + .../unique_answer_no_option.class.php | 8 +++--- main/forum/forumfunction.inc.php | 25 +++++++++---------- main/glossary/index.php | 12 ++++----- main/inc/lib/agenda.lib.php | 7 +++--- .../lib/formvalidator/FormValidator.class.php | 1 + main/lp/learnpath.class.php | 2 +- main/lp/lp_edit.php | 6 ++--- main/notebook/index.php | 18 +++++++------ main/survey/create_new_survey.php | 24 +++++++++--------- .../notebookteacher/src/NotebookTeacher.php | 7 +++--- 17 files changed, 94 insertions(+), 84 deletions(-) diff --git a/main/exercise/MultipleAnswerTrueFalseDegreeCertainty.php b/main/exercise/MultipleAnswerTrueFalseDegreeCertainty.php index 12535118cf..c1c3e5283c 100644 --- a/main/exercise/MultipleAnswerTrueFalseDegreeCertainty.php +++ b/main/exercise/MultipleAnswerTrueFalseDegreeCertainty.php @@ -163,6 +163,7 @@ class MultipleAnswerTrueFalseDegreeCertainty extends Question ['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100'] ); $form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required'); + $form->applyFilter("answer[$i]", 'attr_on_filter'); if (isset($_POST['answer']) && isset($_POST['answer'][$i])) { $txtAnswer->setValue(Security::remove_XSS($_POST['answer'][$i])); @@ -177,6 +178,7 @@ class MultipleAnswerTrueFalseDegreeCertainty extends Question ['style' => 'vertical-align:middle;'], ['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100'] ); + $form->applyFilter("comment[$i]", 'attr_on_filter'); if (isset($_POST['comment']) && isset($_POST['comment'][$i])) { $txtComment->setValue(Security::remove_XSS($_POST['comment'][$i])); diff --git a/main/exercise/calculated_answer.class.php b/main/exercise/calculated_answer.class.php index 7efa10802a..530c6f17a1 100644 --- a/main/exercise/calculated_answer.class.php +++ b/main/exercise/calculated_answer.class.php @@ -133,6 +133,7 @@ class CalculatedAnswer extends Question $form->addRule('answer', get_lang('GiveText'), 'required'); $form->addRule('answer', get_lang('DefineBlanks'), 'regex', '/\[.*\]/'); + $form->applyFilter('answer', 'attr_on_filter'); $form->addElement('label', null, get_lang('IfYouWantOnlyIntegerValuesWriteBothLimitsWithoutDecimals')); $form->addElement('html', '
'); diff --git a/main/exercise/exercise_show.php b/main/exercise/exercise_show.php index 01661fd73f..fb33cf4eb9 100755 --- a/main/exercise/exercise_show.php +++ b/main/exercise/exercise_show.php @@ -659,12 +659,13 @@ foreach ($questionList as $questionId) { $default = [$textareaId => $comnt]; if ($useAdvancedEditor) { - $feedback_form->addElement( - 'html_editor', + $feedback_form->addHtmlEditor( $textareaId, - null, - ['id' => $textareaId], + '', + false, + false, [ + 'id' => $textareaId, 'ToolbarSet' => 'TestAnswerFeedback', 'Width' => '100%', 'Height' => '120', @@ -672,6 +673,7 @@ foreach ($questionList as $questionId) { ); } else { $feedback_form->addElement('textarea', $textareaId, ['id' => $textareaId]); + $feedback_form->applyFilter($textareaId, 'attr_on_filter'); } $feedback_form->setDefaults($default); $feedback_form->display(); diff --git a/main/exercise/fill_blanks.class.php b/main/exercise/fill_blanks.class.php index 0993dfc929..6fef845c39 100755 --- a/main/exercise/fill_blanks.class.php +++ b/main/exercise/fill_blanks.class.php @@ -338,14 +338,16 @@ class FillBlanks extends Question null, get_lang('TypeTextBelow').', '.get_lang('And').' '.get_lang('UseTagForBlank') ); - $form->addElement( - 'html_editor', + $form->addHtmlEditor( 'answer', Display::return_icon('fill_field.png'), - ['id' => 'answer'], - ['ToolbarSet' => 'TestQuestionDescription'] + true, + false, + [ + 'id' => 'answer', + 'ToolbarSet' => 'TestQuestionDescription', + ] ); - $form->addRule('answer', get_lang('GiveText'), 'required'); //added multiple answers $form->addElement('checkbox', 'multiple_answer', '', get_lang('FillInBlankSwitchable')); diff --git a/main/exercise/global_multiple_answer.class.php b/main/exercise/global_multiple_answer.class.php index 21a174f86c..46b4092d26 100755 --- a/main/exercise/global_multiple_answer.class.php +++ b/main/exercise/global_multiple_answer.class.php @@ -119,23 +119,22 @@ class GlobalMultipleAnswer extends Question $form->addElement('checkbox', 'correct['.$i.']', null, null, 'class="checkbox"'); $boxes_names[] = 'correct['.$i.']'; - $form->addElement( - 'html_editor', - 'answer['.$i.']', - null, - [], + $form->addHtmlEditor( + "answer[$i]", + '', + false, + false, [ 'ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100', ] ); - $form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required'); - $form->addElement( - 'html_editor', - 'comment['.$i.']', - null, - [], + $form->addHtmlEditor( + "comment[$i]", + '', + false, + false, [ 'ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', diff --git a/main/exercise/multiple_answer_combination.class.php b/main/exercise/multiple_answer_combination.class.php index ed6c110005..a951b2c7bd 100755 --- a/main/exercise/multiple_answer_combination.class.php +++ b/main/exercise/multiple_answer_combination.class.php @@ -121,20 +121,19 @@ class MultipleAnswerCombination extends Question ); $boxes_names[] = 'correct['.$i.']'; - $form->addElement( - 'html_editor', - 'answer['.$i.']', - null, - [], + $form->addHtmlEditor( + "answer[$i]", + '', + true, + false, ['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100'] ); - $form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required'); - $form->addElement( - 'html_editor', - 'comment['.$i.']', - null, - [], + $form->addHtmlEditor( + "comment[$i]", + '', + false, + false, ['ToolbarSet' => 'TestProposedAnswer', 'Width' => '100%', 'Height' => '100'] ); diff --git a/main/exercise/multiple_answer_true_false.class.php b/main/exercise/multiple_answer_true_false.class.php index 35403c0025..b971ef4d08 100755 --- a/main/exercise/multiple_answer_true_false.class.php +++ b/main/exercise/multiple_answer_true_false.class.php @@ -162,6 +162,7 @@ class MultipleAnswerTrueFalse extends Question 'Height' => '100', ] ); + $form->applyFilter("comment[$i]", 'attr_on_filter'); if (isset($_POST['comment']) && isset($_POST['comment'][$i])) { $txtComment->setValue(Security::remove_XSS($_POST['comment'][$i])); diff --git a/main/exercise/unique_answer_no_option.class.php b/main/exercise/unique_answer_no_option.class.php index 8fd2f5a295..4a58379839 100755 --- a/main/exercise/unique_answer_no_option.class.php +++ b/main/exercise/unique_answer_no_option.class.php @@ -190,9 +190,9 @@ class UniqueAnswerNoOption extends Question $answer_number->freeze(); $form->addElement('radio', 'correct', null, null, $i, 'class="checkbox" style="margin-left: 0em;"'); - $form->addElement('html_editor', 'answer['.$i.']', null, [], $editor_config); + $form->addHtmlEditor("answer[$i]", '', false, false, $editor_config); - $form->addElement('html_editor', 'comment['.$i.']', null, [], $editor_config); + $form->addHtmlEditor("comment[$i]", '', false, false, $editor_config); $form->addElement('text', 'weighting['.$i.']', null, ['style' => 'width: 60px;', 'value' => '0']); $form->addElement('html', ''); $i++; @@ -240,10 +240,10 @@ class UniqueAnswerNoOption extends Question $form->addElement('hidden', 'position['.$i.']', '666'); $form->addElement('radio', 'correct', null, null, $i, ['class' => 'checkbox', 'disabled' => true]); - $form->addElement('html_editor', 'answer['.$i.']', null, [], $editor_config); + $form->addHtmlEditor("answer[$i]", '', false, false, $editor_config); $form->addRule('answer['.$i.']', get_lang('ThisFieldIsRequired'), 'required'); - $form->addElement('html_editor', 'comment['.$i.']', null, [], $editor_config); + $form->addHtmlEditor("comment[$i]", '', false, false, $editor_config); $form->addElement('text', "weighting[$i]", null)->freeze(); $form->addHTml(''); diff --git a/main/forum/forumfunction.inc.php b/main/forum/forumfunction.inc.php index 0adb95d75e..c7cf649ba2 100755 --- a/main/forum/forumfunction.inc.php +++ b/main/forum/forumfunction.inc.php @@ -202,11 +202,11 @@ function show_add_forumcategory_form($lp_id) $form->addElement('header', get_lang('AddForumCategory')); $form->addElement('text', 'forum_category_title', get_lang('Title'), ['autofocus']); $form->applyFilter('forum_category_title', 'html_filter'); - $form->addElement( - 'html_editor', + $form->addHtmlEditor( 'forum_category_comment', get_lang('Description'), - null, + false, + false, ['ToolbarSet' => 'Forum', 'Width' => '98%', 'Height' => '200'] ); @@ -283,11 +283,11 @@ function show_add_forum_form($inputvalues = [], $lp_id = 0) $form->applyFilter('forum_title', 'html_filter'); // The comment of the forum. - $form->addElement( - 'html_editor', + $form->addHtmlEditor( 'forum_comment', get_lang('Description'), - null, + false, + false, ['ToolbarSet' => 'Forum', 'Width' => '98%', 'Height' => '200'] ); @@ -533,11 +533,11 @@ function show_edit_forumcategory_form($inputvalues = []) $form->addElement('text', 'forum_category_title', get_lang('Title')); $form->applyFilter('forum_category_title', 'html_filter'); - $form->addElement( - 'html_editor', + $form->addHtmlEditor( 'forum_category_comment', get_lang('Comment'), - null, + false, + false, ['ToolbarSet' => 'Forum', 'Width' => '98%', 'Height' => '200'] ); @@ -4047,11 +4047,11 @@ function show_edit_post_form( $form->addElement('text', 'post_title', get_lang('Title')); $form->applyFilter('post_title', 'html_filter'); - $form->addElement( - 'html_editor', + $form->addHtmlEditor( 'post_text', get_lang('Text'), - null, + true, + false, api_is_allowed_to_edit(null, true) ? [ 'ToolbarSet' => 'Forum', 'Width' => '100%', @@ -4063,7 +4063,6 @@ function show_edit_post_form( 'UserStatus' => 'student', ] ); - $form->addRule('post_text', get_lang('ThisFieldIsRequired'), 'required'); $extraFields = new ExtraField('forum_post'); $extraFields->addElements($form, $current_post['post_id']); diff --git a/main/glossary/index.php b/main/glossary/index.php index 56b72a21fc..3dee76f303 100755 --- a/main/glossary/index.php +++ b/main/glossary/index.php @@ -98,11 +98,11 @@ switch ($action) { $form->addElement('text', 'name', get_lang('TermName'), ['id' => 'glossary_title']); } - $form->addElement( - 'html_editor', + $form->addHtmlEditor( 'description', get_lang('TermDefinition'), - null, + false, + false, ['ToolbarSet' => 'Glossary', 'Height' => '300'] ); $form->addButtonCreate(get_lang('TermAddButton'), 'SubmitGlossary'); @@ -162,11 +162,11 @@ switch ($action) { $form->addElement('text', 'name', get_lang('TermName'), ['id' => 'glossary_title']); } - $form->addElement( - 'html_editor', + $form->addHtmlEditor( 'description', get_lang('TermDefinition'), - null, + false, + false, ['ToolbarSet' => 'Glossary', 'Height' => '300'] ); diff --git a/main/inc/lib/agenda.lib.php b/main/inc/lib/agenda.lib.php index c9e1ce906f..1a241b8bde 100644 --- a/main/inc/lib/agenda.lib.php +++ b/main/inc/lib/agenda.lib.php @@ -3106,12 +3106,13 @@ class Agenda $toolbar = 'AgendaStudent'; } - $form->addElement( - 'html_editor', + $form->addHtmlEditor( 'content', get_lang('Description'), - null, + false, + false, [ + 'style' => 'vertical-align:middle;', 'ToolbarSet' => $toolbar, 'Width' => '100%', 'Height' => '200', diff --git a/main/inc/lib/formvalidator/FormValidator.class.php b/main/inc/lib/formvalidator/FormValidator.class.php index 3224a7dc7a..45aa25757d 100755 --- a/main/inc/lib/formvalidator/FormValidator.class.php +++ b/main/inc/lib/formvalidator/FormValidator.class.php @@ -384,6 +384,7 @@ EOT; if ($required) { $this->addRule($name, get_lang('ThisFieldIsRequired'), 'required'); } + $this->applyFilter($name, 'attr_on_filter'); return $element; } diff --git a/main/lp/learnpath.class.php b/main/lp/learnpath.class.php index 3e51bec124..07f7346522 100755 --- a/main/lp/learnpath.class.php +++ b/main/lp/learnpath.class.php @@ -9054,7 +9054,7 @@ class learnpath 'BaseHref' => api_get_path(WEB_COURSE_PATH).api_get_course_path().$item_path_fck, ]; - $form->addElement('html_editor', 'content_lp', '', null, $editor_config); + $form->addHtmlEditor('content_lp', '', true, true, $editor_config); $content_path = api_get_path(SYS_COURSE_PATH).api_get_course_path().$item_path_fck; $defaults['content_lp'] = file_get_contents($content_path); } diff --git a/main/lp/lp_edit.php b/main/lp/lp_edit.php index 286c2e6a70..6b0425e251 100755 --- a/main/lp/lp_edit.php +++ b/main/lp/lp_edit.php @@ -104,11 +104,11 @@ if (api_get_setting('allow_course_theme') === 'true') { } // Author -$form->addElement( - 'html_editor', +$form->addHtmlEditor( 'lp_author', get_lang('Author'), - ['size' => 80], + false, + false, ['ToolbarSet' => 'LearningPathAuthor', 'Width' => '100%', 'Height' => '200px'] ); $form->applyFilter('lp_author', 'html_filter'); diff --git a/main/notebook/index.php b/main/notebook/index.php index f7d907843c..96d7aace2a 100755 --- a/main/notebook/index.php +++ b/main/notebook/index.php @@ -91,11 +91,12 @@ if ($action === 'addnote') { $form->addElement('header', '', get_lang('NoteAddNew')); $form->addElement('text', 'note_title', get_lang('NoteTitle'), ['id' => 'note_title']); $form->applyFilter('text', 'html_filter'); - $form->addElement( - 'html_editor', + $form->applyFilter('text', 'attr_on_filter'); + $form->addHtmlEditor( 'note_comment', get_lang('NoteComment'), - null, + false, + false, api_is_allowed_to_edit() ? ['ToolbarSet' => 'Notebook', 'Width' => '100%', 'Height' => '300'] : ['ToolbarSet' => 'NotebookStudent', 'Width' => '100%', 'Height' => '300', 'UserStatus' => 'student'] ); $form->addButtonCreate(get_lang('AddNote'), 'SubmitNote'); @@ -158,14 +159,15 @@ if ($action === 'addnote') { $form->addElement('hidden', 'notebook_id'); $form->addElement('text', 'note_title', get_lang('NoteTitle'), ['size' => '100']); $form->applyFilter('text', 'html_filter'); - $form->addElement( - 'html_editor', + $form->applyFilter('text', 'attr_on_filter'); + $form->addHtmlEditor( 'note_comment', get_lang('NoteComment'), - null, + false, + false, api_is_allowed_to_edit() - ? ['ToolbarSet' => 'Notebook', 'Width' => '100%', 'Height' => '300'] - : ['ToolbarSet' => 'NotebookStudent', 'Width' => '100%', 'Height' => '300', 'UserStatus' => 'student'] + ? ['ToolbarSet' => 'Notebook', 'Width' => '100%', 'Height' => '300'] + : ['ToolbarSet' => 'NotebookStudent', 'Width' => '100%', 'Height' => '300', 'UserStatus' => 'student'] ); $form->addButtonUpdate(get_lang('ModifyNote'), 'SubmitNote'); diff --git a/main/survey/create_new_survey.php b/main/survey/create_new_survey.php index fab4d3c658..8c34f62ded 100755 --- a/main/survey/create_new_survey.php +++ b/main/survey/create_new_survey.php @@ -142,18 +142,18 @@ if ('edit' == $action) { $form->applyFilter('survey_code', 'api_strtoupper'); } -$form->addElement( - 'html_editor', +$form->addHtmlEditor( 'survey_title', get_lang('SurveyTitle'), - null, + false, + false, ['ToolbarSet' => 'Survey', 'Width' => '100%', 'Height' => '200'] ); -$form->addElement( - 'html_editor', +$form->addHtmlEditor( 'survey_subtitle', get_lang('SurveySubTitle'), - null, + false, + false, [ 'ToolbarSet' => 'Survey', 'Width' => '100%', @@ -194,18 +194,18 @@ if (api_get_configuration_value('hide_survey_reporting_button')) { $form->addElement('select', 'visible_results', get_lang('ResultsVisibility'), $visibleResults); } //$defaults['visible_results'] = 0; -$form->addElement( - 'html_editor', +$form->addHtmlEditor( 'survey_introduction', get_lang('SurveyIntroduction'), - null, + false, + false, ['ToolbarSet' => 'Survey', 'Width' => '100%', 'Height' => '130', 'ToolbarStartExpanded' => false] ); -$form->addElement( - 'html_editor', +$form->addHtmlEditor( 'survey_thanks', get_lang('SurveyThanks'), - null, + false, + false, ['ToolbarSet' => 'Survey', 'Width' => '100%', 'Height' => '130', 'ToolbarStartExpanded' => false] ); diff --git a/plugin/notebookteacher/src/NotebookTeacher.php b/plugin/notebookteacher/src/NotebookTeacher.php index 3defc4fbd2..53ef4bb68a 100644 --- a/plugin/notebookteacher/src/NotebookTeacher.php +++ b/plugin/notebookteacher/src/NotebookTeacher.php @@ -512,11 +512,12 @@ class NotebookTeacher $form->addElement('text', 'note_title', get_lang('NoteTitle'), ['id' => 'note_title']); $form->applyFilter('text', 'html_filter'); - $form->addElement( - 'html_editor', + $form->applyFilter('text', 'attr_on_filter'); + $form->addHtmlEditor( 'note_comment', get_lang('NoteComment'), - null, + false, + false, api_is_allowed_to_edit() ? ['ToolbarSet' => 'Notebook', 'Width' => '100%', 'Height' => '300'] : ['ToolbarSet' => 'NotebookStudent', 'Width' => '100%', 'Height' => '300', 'UserStatus' => 'student']